Testing Backup Software: Anti-Ransomware Insurance
If virus protection has been defeated and a lockout screen is blocking access to the system and important files, the group of windows users is divided into two camps: on one side the ransomware victims and on the other the users of backup programs. The latter group can withstand attacks by blackmail Trojans with much greater peace of mind. Because they have an additional level of protection to defend against aggressive malware attacks. In an ideal case, a data backup program detects the attack, stops it and resets the system or the attacked files to the last safe backup version. If this is not possible, at least the last safe backup versions can be restored. In this test, in addition to traditional backup functions and user-friendliness and backup and restore speed, the experts at AV-TEST also evaluated the response of the programs to attacks with current malware.
The next generation features
Only one out of four programs
The AV-TEST Certificate
Ransomware attacks: Time is money!
Blackmail Trojans often make a fool out of antivirus software. It generally takes several hours for current malware samples to go from initial detection of individual anti-virus programs to being adopted in the latest virus definitions. A time period that offers cyber blackmailers a dangerous lead time. Because depending upon the proliferation of this type of malware, from one second to the next, by merely clicking on the link in an email at the wrong time, it can transform previously unsuspecting users into victims of online blackmail costing several hundred Euros. That is why in a good security concept, a regularly updated antivirus program is always flanked by backup software.
The new backup generation
While many manufacturers, along with many PC users, do not perceive their data backup programs as being one element in such a two-stage security strategy, other manufacturers are adopting a whole new approach: With "Acronis True Image 2017 New Generation Premium" 184.108.40.20606, "Carbonite Personal PLUS" 6.2.1 build 6804, "CrashPlan for Home" 4.8.0 (1435813200480) and "IDrive" 220.127.116.11, four next-generation backup programs are vying for users' trust. All these backup programs can handle traditional backup methods, e.g. backup copies of individual files, as well as complete images of a complete system on storage media such as external hard drives.
Cloud protection against blackmailers
In addition to cloud storage contained in paid applications, the programs offer even more functions. This includes the "authenticity check" of files via digital detection patterns, for instance, stored in a protected online database. This way, it is possible to determine whether a file exists in its original storage condition or whether it has been retroactively changed. With this cloud technology, it is also possible to determine whether files have been altered by a malware attack, i.e. during an unwanted encryption by blackmail Trojans. If the software discovers what is probably an unwanted change during the online comparison in the background, it can warn the user and, where necessary, swap the infected file with the last safe backup version.
Active protection is not yet standard
In the test, the backup programs were required to defend test PCs under Windows 7 and their stored data against the latest ransomware versions. These included two of the very latest versions of the widespread crypto-Trojan Cerber, which proliferates by means of email attachments as well as infected websites. The programs deployed various methods to fend off the encryption Trojans. In this, True Image from Acronis was the only product in the test that was able to score points with active malware detection. Using behavior-based malware detection via the Acronis cloud, ransomware samples were detected and blocked as soon as they tried to unleash their destructive potential on the test systems. These types of protection functions can also be flanked by standalone anti-ransomware software.
While none of the other test candidates offered this type of active detection, they did score points by safely restoring the backups of infected files in most cases. In order to offer good protection using this method, short backup frequency is decisive. The shorter the backup interval, the more up-to-date the rescue files to be restored. IDrive stood out in this test category. The software secured data on the test systems in the validated default settings every 20 seconds. As opposed to Carbonite: The software did indeed create the first backup copy after 10 minutes of operation. But the next backup is only possible on the following day, namely after precisely 24 hours, clearly too long in order to effectively provide support in protection against ransomware.
In the test, none of the programs gave credence to the excuse that backup software is supposedly too complicated. Through well-organized operating menus, all four test candidates allowed for selection of files to be backed up, specification of backup destinations and intervals, along with access to additional functions. In this, the programs did exhibit major differences in terms of the number of steps required for set up, but this is a function of the different configuration of the program interfaces and is no detriment to the evaluation of their user-friendliness. Carbonite required the least amount of user time and effort during initial setup. Along with the selection of the additional features provided, user-friendliness is, however, in the eye of the beholder, and each user has different preferences.
Data backup in a New York minute
Another decisive category in the test of backup programs is the speed of data backup and restoration. In the lab, the various data backup settings were evaluated with different data sets. This included, among other things, partitioning and backing up the complete archive of a 50 GB test data set consisting of 56 CD images and film files. The data was copied from an SSD onto an HDD drive. Here, as in the following speed tests as well, Acronis beat the competition by a mile: For this data set, the software required just under 12 minutes, whereas IDrive came in second with slightly more than 53 minutes. CrashPlan required one hour and three minutes for the data set. Also in the time trial for backing up different data as well as creating incremental backups, the Acronis software was always clearly ahead of the other test products.
Acronis also proved to be the fastest when restoring and recovering the backed up data set: After 10 minutes and 39 seconds, the backed-up system was restored. CrashPlan required 20 minutes and 40 seconds, roughly twice as long. IDrive clocked the restored test system at 17 minutes and 17 seconds. When restoring incremental backups, Acronis outperformed both products with nearly 10 times the speed! Because the Carbonite software offers a strictly cloud-based data backup, it was not taken into consideration in the performance test.
The test clearly demonstrates that useful malware protection ought to include the deployment of backup software. “Acronis True Image 2017 New Generation Premium” was the only backup solution in the test that was able to stop ransomware attacks. That is why the programme, also delivering outstanding results in the test criterion of backup functionality, is being recognized by the AV-TEST Institute with the certificate „Approved Backup & Data Security Software“. The Acronis solution clearly supports users in defending their own PC system and vital data without requiring a whole lot of commitment. You can read more about the comprehensive security study of the test developed by the lab in this PDF file.
Ransomware – a growing danger
David Walkiewicz, Head of Test Research
The number of blackmail Trojans is constantly increasing. It is no wonder that this form of malware allows criminals around the globe to cash in anonymously.
Already in 2015, the malware detection systems of AV-TEST reported "Virlock" as being the first blackmail Trojan among the Top 10 of the worldwide most widely proliferated malware programs (see Security Report 2015/16, page 5). The crypto-Trojan, on which the constantly-changing code makes detection by protection programs difficult, was found on hundreds of thousands of PCs, encrypting the EXE files, archive files, audio, video and image files, as well as the "My Documents" folder, among others.
Since then, there has been a massive increase in the number of ransomware samples. Whereas in 2015 there were just under 35 different ransomware families, that number at the beginning of 2017 had already exceeded well over 300. It should hardly come as a surprise, as this form of digital blackmail is a million-dollar business in which the perpetrators have little or no risk. They can disperse the malware worldwide and cash in on it anonymously via the Internet with online payment methods.
Whereas standard ransomware Trojans usually lock up computers and files of their victims effectively via asymmetrical RSA encryption procedures and AES, blackmail Trojans of the newest generation such as Sage 2.0 already deploy the latest state-of-the-art encryption methods such as Curve25519 and ChaCha20. Special "decryption tools" already exist for the attacks of some encryption Trojans. However, these do not crack the encryption methods used by the ransomware, instead they exploit implementation errors of the crypto-algorithms. Thus, they in turn take advantage of software gaps left by criminals when programming the Trojans.
In order to mount the best possible protection against the growing danger, users ought to pursue a two-track security strategy. And in addition to malware protection through a constantly updated antivirus product, this also entails protection through a strong backup solution – in case an encryption Trojan does penetrate the tightly-woven web of virus detection.